2) Import broker certificate to nssdb. It looks like something strange could happen here. Certutil returns 0 exit code but the "broker" certificate was not created. I am also not able to reproduce it but it happened in a case.-------------------------Executing 'certutil A -d '/etc/pki/katello/nssdb' -n 'broker' -t ',,' -a -i '/etc/pki/katello/certs/satellite.example.com-qpid-broker.crt''------------------------

3) Convert the broker private key and certificate to pkcs12 format. There is a problem in this command. It should pass a certname option ("-name broker") but it didn't. Therefore, a "pfx" file without nickname was created.-------------------------Executing 'openssl pkcs12 in /etc/pki/katello/certs/satellite.example.com-qpid-broker.crt -inkey /etc/pki/katello/private/satellite.example.com-qpid-broker.key -export -out '/etc/pki/katello/satellite.example.com-qpid-broker.pfx' -password 'file:/etc/pki/katello/nssdb/nss_db_password-file''------------------------

4) Import the generated "pfx" file to nssdb using pk12util command. Since no nickname is provided by the "pfx" file, it will generate a nickname in the format of "{Common Name} - {Org}". In this case "satellite.example.com - SomeOrg". -------------------------Executing 'pk12util i '/etc/pki/katello/satellite.example.com-qpid-broker.pfx' -d '/etc/pki/katello/nssdb' -w '/etc/pki/katello/nssdb/nss_db_password-file' -k '/etc/pki/katello/nssdb/nss_db_password-file''------------------------

To prevent the above issue, I suggest to add "-name broker" to the "openssl pkcs12" command in step (3). I also think that the "certutil -A" command in step (2) is not needed. Since we are going to import both broker private key and ssl certificate using "pk12util" command in step (4), why do we still need to run "certutil -A"?